This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

Grant sudo Access to users for Limited Commands on Mac and Linux ๐Ÿ’ป

saifshaik
JumpCloud Employee
JumpCloud Employee

โ€Ž06-13-2024 04:24 AM

Hello Admin Friends!

We're almost at the end of H1'24, and I hope everything has gone well so far. I wish and pray that everything will be even better in the next half ๐Ÿ’ฅ. With that said, today I'm here to show you how to grant sudo access to JumpCloud users for specific commands only on macOS and Linux, leveraging JumpCloud Commands.

Why?

As an IT administrator, at times, there may be a need to grant sudo permissions to the end user to perform certain privileged tasks or execute critical scripts. Instead of granting them full blown sudo access, we can grant them sudo access only to specific commands. This access is typically granted to facilitate efficient workflow and empower users to carry out necessary actions without requiring the direct intervention of administrators.

How?

This can be achieved by adding custom rules for the JumpCloud user to /etc/sudoers.d folder. This folder allows the addition of multiple configuration files to manage users sudo privileges, often used to modularize and simplify the management of sudo.

Solution:

for macOS -

First, we begin by reviewing the existing files in sudoers.d directory by sending the below command on Mac via JumpCloud Commands, set to run as โ€˜rootโ€™:

 

cd /etc/sudoers.d && ls

 

Output of the command displays the contents of this folder, displaying the sudo file of the target JumpCloud user.

Screenshot 2024-06-13 at 10.28.41โ€ฏAM.pngIn my case nyc is the username of my JC user, bound to my test Mac. This user does not have sudo permissions granted from JumpCloud. So it's a standard user account on the device.

Next, we create a new file with a custom rule in /etc/sudoers.d/ directory, using the below command :

 

sudo echo "USERNAME ALL=(ALL) /bin/COMMAND1, /usr/bin/COMMAND2, /usr/sbin/COMMAND3" >> /etc/sudoers.d/01-username

 

We need to modify the USERNAME to match the username of the target user account, and replace COMMAND with commands such as cat, grep, chown,md5 etc along with their absolute path, as needed. We can add as many commands as we wish by seperating them with a comma (,).

 

Different macOS binaries reside at different locations based on the nature of the command. Absolute path to the binary needs to be carefully added, based on the commands we're looking to modify. Hereโ€™s a quick summary of different command paths on macOS  -

  1. /usr/bin: Contains essential command binaries that need to be available in single-user mode, such as system administration commands and basic utilities. Commands like man, zip, less, unzip, topetc., are stored here.
  2. /bin: Contains essential command binaries that are required to boot and run the system in single-user mode, including basic system utilities. Commands like ls, cp, mv, mkdir, chmod, bash etc., are stored here.
  3. /usr/sbin: Contains non-essential system binaries used by the system administrator, such as networking and system administration commands. Commands like visudo, fdisk, chroot, cron, auditetc., are stored here.
  4. /sbin: Contains essential system binaries used for system administration tasks, especially those needed for system repair and recovery. Commands like fsck, ifconfig, ping, md5, mountetc., are stored here.
  5. /usr/local/bin: A common place for user-installed software and custom scripts. Software installed via Homebrew, for instance, often resides here. Commands like pwsh, homebrew are stored here.
  6. /usr/local/sbin: Similar to /usr/local/bin, but for non-essential system binaries used by the system administrator.
  7. /opt: Some third-party software might be installed here. For example, software installed via package managers might reside in /opt/local/bin.
  8. ~/bin: User-specific binaries. If you create a bin directory in your home directory and add it to your PATH, you can place your personal scripts and executables there.

We can locate the full path to the binary using which command, aโ€™la:

Saifs-MacBook-Pro:~ saif$ which cat
/bin/cat
Saifs-MacBook-Pro:~ saif$

With the above command configured in JumpCloud Commands and assigned to target Mac, we can execute the command. The output from this command returns blank, as we are simply adding a file in the sudoers.d directory. Result would look like this and it's expected:

Screenshot 2024-06-13 at 10.52.21โ€ฏAM.pngAs we can see in my example, I've granted permissions to the user nyc to execute cat, md5 and syslog commands as sudo.

We can run cat on the newly created userโ€™s sudoer file to verify it's contents:

Screenshot 2024-06-13 at 11.00.05โ€ฏAM.png

Now the enduser can verify their sudo access on these limited commands from the Terminal. Here's proof for my user nyc, who is able to sudo on cat but not on touch:

Screenshot 2024-06-13 at 11.08.35โ€ฏAM.png

 

 

for Linux -

Similar to Mac, we begin by reviewing the existing files in sudoers.d directory by sending the below command on Linux via JumpCloud Commands, set to run as โ€˜rootโ€™:

 

cd /etc/sudoers.d && ls

 

Output of the command displays the contents of this folder with the sudo file of the target JumpCloud user.

Screenshot 2024-06-13 at 11.49.29โ€ฏAM.pngIn my case sfo is the username of my JumpCloud user, bound to my test Linux device. This user does not have sudo permissions granted from JumpCloud. So it's a standard user account on the device.

Next, we create a new file with a custom rule in /etc/sudoers.d/ directory, using the below command :

 

sudo echo -e "USERNAME ALL=(ALL) /bin/COMMAND1, /usr/bin/COMMAND2, /usr/sbin/COMMAND3" >> /etc/sudoers.d/01-username

 

NOTE - While we can skip adding '-e' parameter, we're adding it to enable intepretation of backslash escapes. When '-e' is used, sequences like \n (newline), \t (tab), and others are processed.

We need to modify the USERNAME to match the username of the target user account, and replace COMMAND with commands such as systemctl, cat, chown etc along with their absolute path, as needed. We can add as many commands as we wish by seperating them with a comma (,).

 

On a Linux system, commands (executables) reside in various directories, which are part of the system's PATH environment variable. At these directories are searched in order when a command is executed in the terminal, we can reduce the time in split seconds by adding the absolute path to the command, based on the commands we're looking to modify. Hereโ€™s a quick summary of different command paths in Linux  -

  1. /bin: Contains essential command binaries that are needed to boot and run the system in single-user mode. This directory includes basic system utilities like ls, cp, man, less, etc.
  2. /usr/bin: Contains the majority of the system's user binaries. This directory includes most of the standard Linux commands and utilities that are not required for the system to boot or repair the system in single-user mode. Binaries like md5sum, make, dig, crontab etc are found here.
  3. /sbin: Contains essential system binaries used by the system administrator, especially those required for system booting and repair. Commands like fdisk, fsck, reboot, etc., are found here.
  4. /usr/sbin: Contains non-essential system binaries used by the system administrator. These are typically system administration commands not required for the boot process but useful for the system's operation and maintenance. Commands like poweroff, openvpn, mkfs, etc., are found here.
  5. /usr/local/bin: Contains binaries for user-installed software and custom scripts. This directory is used for software that is installed manually (not through the system's package manager) and is meant to be accessible by all users.
  6. /usr/local/sbin: Similar to /usr/local/bin, but for non-essential system binaries used by the system administrator. 
  7. /opt: Contains add-on application software packages. This directory is often used for installing third-party software.
  8. ~/bin: User-specific binaries. If you create a bin directory in your home directory (~/bin) and add it to your PATH, you can place your personal scripts and executables there.

One can locate the full path to the binary using which command, aโ€™la:

sfo@ubuntu-linux-22-04-02-desktop:~$ which systemctl
/usr/bin/systemctl
sfo@ubuntu-linux-22-04-02-desktop:~$

With the above command configured in JumpCloud Commands and assigned to target Linux device, we can execute the command. The output from this command returns blank, as we are simply adding a file in the sudoers.d directory. Result would look like this and it's expected:

Screenshot 2024-06-13 at 12.36.56โ€ฏPM.png

In my example, I've granted permissions to the user sfo to be able to execute cat, apt and fdisk commands as sudo.

We can run cat on the newly created userโ€™s sudoer file to verify it's contents:

Screenshot 2024-06-13 at 12.39.19โ€ฏPM.png

Now the enduser can verify his sudo access on these limited commands from the Terminal. Here's proof for my user sfo, who is able to sudo on fdisk but not on useradd:

Screenshot 2024-06-13 at 12.45.02โ€ฏPM.png

That's it, we've successfully granted sudo access to macOS or Linux users to execute only certain commands by leveraging JumpCloud Commands.

Revoking the access back:

In case, administrators would like to revoke this sudo access granted to the users, it is as simple as deleting the custom rule sudoer file of the target user from the /etc/sudoers.d folder. Execute the below command to delete the custom file created:

 

rm /etc/sudoers.d/01-username

 

Once I removed this file for my test user sfo, user was unable to execute any commands as sudo.

Screenshot 2024-06-13 at 12.58.57โ€ฏPM.png

 

I hope this was informative and helpful. Until next time! ๐Ÿ˜

Labels:
1 REPLY 1

BrightRodger
JumpCloud Employee
JumpCloud Employee

โ€Ž06-13-2024 11:11 AM

Brilliantly Done!  Excellent writeup and super helpful!

You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.